Hacked Sites Load up for Android

Friday, May 4, 2012 @ 03:05 PM gHale

In what may be a first, researchers are now finding Android drive-by download malware loaded on hacked websites.

A new Trojan, called NotCompatible, appears to serve as a simple TCP relay while posing as a system update called named “Update.apk.” It does not currently seem to cause any direct harm to a target Android device, but could potentially gain access to private networks by turning an infected smartphone into a proxy.

A device infected with NotCompatible could potentially infiltrate normally protected information or systems, such as those maintained by enterprises or governments. Security firm Lookout described how when a user visits a compromised website from an Android device, the malicious app automatically downloads.

Here’s where it gets tricky: This attack requires further user interaction. Although Android lets you download and install apps from anywhere, in addition to the official Google Play store, this attack still has two requirements.

First of all, the Android device has to have sideloading on (the “Unknown sources” setting has to be enabled) or this won’t work. Secondly, when the suspicious app finishes downloading automatically, the device will prompt the user to install it.

So, the device needs to be set to approve apps not from the Google Play store, and the user has to agree to install the app. The success of such an attack largely depends on user ignorance and the popularity of the affected sites.

Since the infected sites in question are showing relatively low traffic right now, the total impact on Android users is likely low. This is a viable way to mass attack Android devices, but it isn’t seeing use just yet. It can, however, work for targeted attacks on individuals who take their Android device to work with them.